Mar 05 2019 03:21 AM
Hi all.
Require some advice please - 365 hybrid to adfs4.0. Looking to turn on MFA for users, although require to bypass all mobile and skype - also dont mfa on internal.
Can anyone assist with the correct rules we require for the adfs server please ?
Many thanks
Mar 05 2019 11:55 AM
That's what Claims rules are for. I have few examples here: http://www.enowsoftware.com/solutions-engine/ad-fs-claims-rules-and-modern-authentication
You can find more in the official documentation.
Mar 05 2019 12:32 PM
Thanks, it is that i am after assistance with
Does the order take priority ?
Basically i require something that does not enforce mfa for skype, activesync, not all users at the moment are mfa, everything i been looking at enforces mfa unless it matches X
Mar 06 2019 02:44 AM
There are many example rules that do that, just look at the documentation. For example, this article:https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-w2...
And here's a sample rule we used with one of my customers back in the day:
NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value =~ "insert_list_of_IP_addresses_here"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value == "Microsoft.Exchange.ActiveSync"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "lync|ucmapi|WLMHttpTransport|Lync"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
Nov 28 2019 02:18 PM
@Vasil Michev Hi Vasil, is there a way to bypass MFA (3rd party) only for Intune and for rest of the M365 apps (SharePoint, Teams etc.) it works in a normal way. If yes, can please provide an example for claim rules for the same. Thanks.